--- /dev/null
+From 5cc41e099504b77014358b58567c5ea6293dd220 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Thu, 7 Jun 2018 17:11:01 -0700
+Subject: fs/binfmt_misc.c: do not allow offset overflow
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 5cc41e099504b77014358b58567c5ea6293dd220 upstream.
+
+WHen registering a new binfmt_misc handler, it is possible to overflow
+the offset to get a negative value, which might crash the system, or
+possibly leak kernel data.
+
+Here is a crash log when 2500000000 was used as an offset:
+
+ BUG: unable to handle kernel paging request at ffff989cfd6edca0
+ IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
+ PGD 1ef3e067 P4D 1ef3e067 PUD 0
+ Oops: 0000 [#1] SMP NOPTI
+ Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
+ CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
+ RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
+ Call Trace:
+ search_binary_handler+0x97/0x1d0
+ do_execveat_common.isra.34+0x667/0x810
+ SyS_execve+0x31/0x40
+ do_syscall_64+0x73/0x130
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Use kstrtoint instead of simple_strtoul. It will work as the code
+already set the delimiter byte to '\0' and we only do it when the field
+is not empty.
+
+Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX. Also tested
+with examples documented at Documentation/admin-guide/binfmt-misc.rst
+and other registrations from packages on Ubuntu.
+
+Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/binfmt_misc.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/binfmt_misc.c
++++ b/fs/binfmt_misc.c
+@@ -387,8 +387,13 @@ static Node *create_entry(const char __u
+ s = strchr(p, del);
+ if (!s)
+ goto einval;
+- *s++ = '\0';
+- e->offset = simple_strtoul(p, &p, 10);
++ *s = '\0';
++ if (p != s) {
++ int r = kstrtoint(p, 10, &e->offset);
++ if (r != 0 || e->offset < 0)
++ goto einval;
++ }
++ p = s;
+ if (*p++)
+ goto einval;
+ pr_debug("register: offset: %#x\n", e->offset);
+@@ -428,7 +433,8 @@ static Node *create_entry(const char __u
+ if (e->mask &&
+ string_unescape_inplace(e->mask, UNESCAPE_HEX) != e->size)
+ goto einval;
+- if (e->size + e->offset > BINPRM_BUF_SIZE)
++ if (e->size > BINPRM_BUF_SIZE ||
++ BINPRM_BUF_SIZE - e->size < e->offset)
+ goto einval;
+ pr_debug("register: magic/mask length: %i\n", e->size);
+ if (USE_DEBUG) {
--- /dev/null
+From ebeaa367548e9e92dd9374b9464ff6e7d157117b Mon Sep 17 00:00:00 2001
+From: Even Xu <even.xu@intel.com>
+Date: Fri, 12 Feb 2016 04:11:34 +0800
+Subject: HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation
+
+From: Even Xu <even.xu@intel.com>
+
+commit ebeaa367548e9e92dd9374b9464ff6e7d157117b upstream.
+
+Current ISH driver only registers suspend/resume PM callbacks which don't
+support hibernation (suspend to disk). Basically after hiberation, the ISH
+can't resume properly and user may not see sensor events (for example: screen
+ rotation may not work).
+
+User will not see a crash or panic or anything except the following message
+in log:
+
+ hid-sensor-hub 001F:8086:22D8.0001: timeout waiting for response from ISHTP device
+
+So this patch adds support for S4/hiberbation to ISH by using the
+SIMPLE_DEV_PM_OPS() MACRO instead of struct dev_pm_ops directly. The suspend
+and resume functions will now be used for both suspend to RAM and hibernation.
+
+If power management is disabled, SIMPLE_DEV_PM_OPS will do nothing, the suspend
+and resume related functions won't be used, so mark them as __maybe_unused to
+clarify that this is the intended behavior, and remove #ifdefs for power
+management.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Even Xu <even.xu@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/intel-ish-hid/ipc/pci-ish.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+@@ -204,8 +204,7 @@ static void ish_remove(struct pci_dev *p
+ kfree(ishtp_dev);
+ }
+
+-#ifdef CONFIG_PM
+-static struct device *ish_resume_device;
++static struct device __maybe_unused *ish_resume_device;
+
+ /* 50ms to get resume response */
+ #define WAIT_FOR_RESUME_ACK_MS 50
+@@ -219,7 +218,7 @@ static struct device *ish_resume_device;
+ * in that case a simple resume message is enough, others we need
+ * a reset sequence.
+ */
+-static void ish_resume_handler(struct work_struct *work)
++static void __maybe_unused ish_resume_handler(struct work_struct *work)
+ {
+ struct pci_dev *pdev = to_pci_dev(ish_resume_device);
+ struct ishtp_device *dev = pci_get_drvdata(pdev);
+@@ -261,7 +260,7 @@ static void ish_resume_handler(struct wo
+ *
+ * Return: 0 to the pm core
+ */
+-static int ish_suspend(struct device *device)
++static int __maybe_unused ish_suspend(struct device *device)
+ {
+ struct pci_dev *pdev = to_pci_dev(device);
+ struct ishtp_device *dev = pci_get_drvdata(pdev);
+@@ -287,7 +286,7 @@ static int ish_suspend(struct device *de
+ return 0;
+ }
+
+-static DECLARE_WORK(resume_work, ish_resume_handler);
++static __maybe_unused DECLARE_WORK(resume_work, ish_resume_handler);
+ /**
+ * ish_resume() - ISH resume callback
+ * @device: device pointer
+@@ -296,7 +295,7 @@ static DECLARE_WORK(resume_work, ish_res
+ *
+ * Return: 0 to the pm core
+ */
+-static int ish_resume(struct device *device)
++static int __maybe_unused ish_resume(struct device *device)
+ {
+ struct pci_dev *pdev = to_pci_dev(device);
+ struct ishtp_device *dev = pci_get_drvdata(pdev);
+@@ -310,21 +309,14 @@ static int ish_resume(struct device *dev
+ return 0;
+ }
+
+-static const struct dev_pm_ops ish_pm_ops = {
+- .suspend = ish_suspend,
+- .resume = ish_resume,
+-};
+-#define ISHTP_ISH_PM_OPS (&ish_pm_ops)
+-#else
+-#define ISHTP_ISH_PM_OPS NULL
+-#endif /* CONFIG_PM */
++static SIMPLE_DEV_PM_OPS(ish_pm_ops, ish_suspend, ish_resume);
+
+ static struct pci_driver ish_driver = {
+ .name = KBUILD_MODNAME,
+ .id_table = ish_pci_tbl,
+ .probe = ish_probe,
+ .remove = ish_remove,
+- .driver.pm = ISHTP_ISH_PM_OPS,
++ .driver.pm = &ish_pm_ops,
+ };
+
+ module_pci_driver(ish_driver);
--- /dev/null
+From d471b6b22d37bf9928c6d0202bdaaf76583b8b61 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Tue, 12 Jun 2018 13:42:46 -0700
+Subject: HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit d471b6b22d37bf9928c6d0202bdaaf76583b8b61 upstream.
+
+The HID descriptor for the 2nd-gen Intuos Pro large (PTH-860) contains
+a typo which defines an incorrect logical maximum Y value. This causes
+a small portion of the bottom of the tablet to become unusable (both
+because the area is below the "bottom" of the tablet and because
+'wacom_wac_event' ignores out-of-range values). It also results in a
+skewed aspect ratio.
+
+To fix this, we add a quirk to 'wacom_usage_mapping' which overwrites
+the data with the correct value.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+CC: stable@vger.kernel.org # v4.10+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/wacom_sys.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -284,6 +284,14 @@ static void wacom_usage_mapping(struct h
+ }
+ }
+
++ /* 2nd-generation Intuos Pro Large has incorrect Y maximum */
++ if (hdev->vendor == USB_VENDOR_ID_WACOM &&
++ hdev->product == 0x0358 &&
++ WACOM_PEN_FIELD(field) &&
++ wacom_equivalent_usage(usage->hid) == HID_GD_Y) {
++ field->logical_maximum = 43200;
++ }
++
+ switch (usage->hid) {
+ case HID_GD_X:
+ features->x_max = field->logical_maximum;
--- /dev/null
+From 9039d985811d5b109b58b202b7594fd24e433fed Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Tue, 13 Feb 2018 11:09:40 +0200
+Subject: iwlwifi: fw: harden page loading code
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 9039d985811d5b109b58b202b7594fd24e433fed upstream.
+
+The page loading code trusts the data provided in the firmware images
+a bit too much and may cause a buffer overflow or copy unknown data if
+the block sizes don't match what we expect.
+
+To prevent potential problems, harden the code by checking if the
+sizes we are copying are what we expect.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/fw/paging.c | 49 ++++++++++++++++++++-----
+ 1 file changed, 41 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/paging.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/paging.c
+@@ -8,6 +8,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -30,6 +31,7 @@
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * Copyright(c) 2016 - 2017 Intel Deutschland GmbH
++ * Copyright(c) 2018 Intel Corporation
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -174,7 +176,7 @@ static int iwl_alloc_fw_paging_mem(struc
+ static int iwl_fill_paging_mem(struct iwl_fw_runtime *fwrt,
+ const struct fw_img *image)
+ {
+- int sec_idx, idx;
++ int sec_idx, idx, ret;
+ u32 offset = 0;
+
+ /*
+@@ -201,17 +203,23 @@ static int iwl_fill_paging_mem(struct iw
+ */
+ if (sec_idx >= image->num_sec - 1) {
+ IWL_ERR(fwrt, "Paging: Missing CSS and/or paging sections\n");
+- iwl_free_fw_paging(fwrt);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err;
+ }
+
+ /* copy the CSS block to the dram */
+ IWL_DEBUG_FW(fwrt, "Paging: load paging CSS to FW, sec = %d\n",
+ sec_idx);
+
++ if (image->sec[sec_idx].len > fwrt->fw_paging_db[0].fw_paging_size) {
++ IWL_ERR(fwrt, "CSS block is larger than paging size\n");
++ ret = -EINVAL;
++ goto err;
++ }
++
+ memcpy(page_address(fwrt->fw_paging_db[0].fw_paging_block),
+ image->sec[sec_idx].data,
+- fwrt->fw_paging_db[0].fw_paging_size);
++ image->sec[sec_idx].len);
+ dma_sync_single_for_device(fwrt->trans->dev,
+ fwrt->fw_paging_db[0].fw_paging_phys,
+ fwrt->fw_paging_db[0].fw_paging_size,
+@@ -232,6 +240,14 @@ static int iwl_fill_paging_mem(struct iw
+ for (idx = 1; idx < fwrt->num_of_paging_blk; idx++) {
+ struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx];
+
++ if (block->fw_paging_size > image->sec[sec_idx].len - offset) {
++ IWL_ERR(fwrt,
++ "Paging: paging size is larger than remaining data in block %d\n",
++ idx);
++ ret = -EINVAL;
++ goto err;
++ }
++
+ memcpy(page_address(block->fw_paging_block),
+ image->sec[sec_idx].data + offset,
+ block->fw_paging_size);
+@@ -242,19 +258,32 @@ static int iwl_fill_paging_mem(struct iw
+
+ IWL_DEBUG_FW(fwrt,
+ "Paging: copied %d paging bytes to block %d\n",
+- fwrt->fw_paging_db[idx].fw_paging_size,
+- idx);
++ block->fw_paging_size, idx);
++
++ offset += block->fw_paging_size;
+
+- offset += fwrt->fw_paging_db[idx].fw_paging_size;
++ if (offset > image->sec[sec_idx].len) {
++ IWL_ERR(fwrt,
++ "Paging: offset goes over section size\n");
++ ret = -EINVAL;
++ goto err;
++ }
+ }
+
+ /* copy the last paging block */
+ if (fwrt->num_of_pages_in_last_blk > 0) {
+ struct iwl_fw_paging *block = &fwrt->fw_paging_db[idx];
+
++ if (image->sec[sec_idx].len - offset > block->fw_paging_size) {
++ IWL_ERR(fwrt,
++ "Paging: last block is larger than paging size\n");
++ ret = -EINVAL;
++ goto err;
++ }
++
+ memcpy(page_address(block->fw_paging_block),
+ image->sec[sec_idx].data + offset,
+- FW_PAGING_SIZE * fwrt->num_of_pages_in_last_blk);
++ image->sec[sec_idx].len - offset);
+ dma_sync_single_for_device(fwrt->trans->dev,
+ block->fw_paging_phys,
+ block->fw_paging_size,
+@@ -266,6 +295,10 @@ static int iwl_fill_paging_mem(struct iw
+ }
+
+ return 0;
++
++err:
++ iwl_free_fw_paging(fwrt);
++ return ret;
+ }
+
+ static int iwl_save_fw_paging(struct iwl_fw_runtime *fwrt,
--- /dev/null
+From 7810e6781e0fcbca78b91cf65053f895bf59e85f Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Thu, 7 Jun 2018 17:09:29 -0700
+Subject: mm, page_alloc: do not break __GFP_THISNODE by zonelist reset
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+commit 7810e6781e0fcbca78b91cf65053f895bf59e85f upstream.
+
+In __alloc_pages_slowpath() we reset zonelist and preferred_zoneref for
+allocations that can ignore memory policies. The zonelist is obtained
+from current CPU's node. This is a problem for __GFP_THISNODE
+allocations that want to allocate on a different node, e.g. because the
+allocating thread has been migrated to a different CPU.
+
+This has been observed to break SLAB in our 4.4-based kernel, because
+there it relies on __GFP_THISNODE working as intended. If a slab page
+is put on wrong node's list, then further list manipulations may corrupt
+the list because page_to_nid() is used to determine which node's
+list_lock should be locked and thus we may take a wrong lock and race.
+
+Current SLAB implementation seems to be immune by luck thanks to commit
+511e3a058812 ("mm/slab: make cache_grow() handle the page allocated on
+arbitrary node") but there may be others assuming that __GFP_THISNODE
+works as promised.
+
+We can fix it by simply removing the zonelist reset completely. There
+is actually no reason to reset it, because memory policies and cpusets
+don't affect the zonelist choice in the first place. This was different
+when commit 183f6371aac2 ("mm: ignore mempolicies when using
+ALLOC_NO_WATERMARK") introduced the code, as mempolicies provided their
+own restricted zonelists.
+
+We might consider this for 4.17 although I don't know if there's
+anything currently broken.
+
+SLAB is currently not affected, but in kernels older than 4.7 that don't
+yet have 511e3a058812 ("mm/slab: make cache_grow() handle the page
+allocated on arbitrary node") it is. That's at least 4.4 LTS. Older
+ones I'll have to check.
+
+So stable backports should be more important, but will have to be
+reviewed carefully, as the code went through many changes. BTW I think
+that also the ac->preferred_zoneref reset is currently useless if we
+don't also reset ac->nodemask from a mempolicy to NULL first (which we
+probably should for the OOM victims etc?), but I would leave that for a
+separate patch.
+
+Link: http://lkml.kernel.org/r/20180525130853.13915-1-vbabka@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Fixes: 183f6371aac2 ("mm: ignore mempolicies when using ALLOC_NO_WATERMARK")
+Acked-by: Mel Gorman <mgorman@techsingularity.net>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_alloc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3981,7 +3981,6 @@ retry:
+ * orientated.
+ */
+ if (!(alloc_flags & ALLOC_CPUSET) || reserve_flags) {
+- ac->zonelist = node_zonelist(numa_node_id(), gfp_mask);
+ ac->preferred_zoneref = first_zones_zonelist(ac->zonelist,
+ ac->high_zoneidx, ac->nodemask);
+ }
--- /dev/null
+From 7f54910fa8dfe504f2e1563f4f6ddc3294dfbf3a Mon Sep 17 00:00:00 2001
+From: Martin Brandenburg <martin@omnibond.com>
+Date: Thu, 31 May 2018 16:37:00 +0000
+Subject: orangefs: report attributes_mask and attributes for statx
+
+From: Martin Brandenburg <martin@omnibond.com>
+
+commit 7f54910fa8dfe504f2e1563f4f6ddc3294dfbf3a upstream.
+
+OrangeFS formerly failed to set attributes_mask with the result that
+software could not see immutable and append flags present in the
+filesystem.
+
+Reported-by: Becky Ligon <ligon@clemson.edu>
+Signed-off-by: Martin Brandenburg <martin@omnibond.com>
+Fixes: 68a24a6cc4a6 ("orangefs: implement statx")
+Cc: stable@vger.kernel.org
+Cc: hubcap@omnibond.com
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/orangefs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/orangefs/inode.c
++++ b/fs/orangefs/inode.c
+@@ -269,6 +269,13 @@ int orangefs_getattr(const struct path *
+ else
+ stat->result_mask = STATX_BASIC_STATS &
+ ~STATX_SIZE;
++
++ stat->attributes_mask = STATX_ATTR_IMMUTABLE |
++ STATX_ATTR_APPEND;
++ if (inode->i_flags & S_IMMUTABLE)
++ stat->attributes |= STATX_ATTR_IMMUTABLE;
++ if (inode->i_flags & S_APPEND)
++ stat->attributes |= STATX_ATTR_APPEND;
+ }
+ return ret;
+ }
--- /dev/null
+From f6a4b4c9d07dda90c7c29dae96d6119ac6425dca Mon Sep 17 00:00:00 2001
+From: Martin Brandenburg <martin@omnibond.com>
+Date: Thu, 31 May 2018 16:36:58 +0000
+Subject: orangefs: set i_size on new symlink
+
+From: Martin Brandenburg <martin@omnibond.com>
+
+commit f6a4b4c9d07dda90c7c29dae96d6119ac6425dca upstream.
+
+As long as a symlink inode remains in-core, the destination (and
+therefore size) will not be re-fetched from the server, as it cannot
+change. The original implementation of the attribute cache assumed that
+setting the expiry time in the past was sufficient to cause a re-fetch
+of all attributes on the next getattr. That does not work in this case.
+
+The bug manifested itself as follows. When the command sequence
+
+touch foo; ln -s foo bar; ls -l bar
+
+is run, the output was
+
+lrwxrwxrwx. 1 fedora fedora 4906 Apr 24 19:10 bar -> foo
+
+However, after a re-mount, ls -l bar produces
+
+lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo
+
+After this commit, even before a re-mount, the output is
+
+lrwxrwxrwx. 1 fedora fedora 3 Apr 24 19:10 bar -> foo
+
+Reported-by: Becky Ligon <ligon@clemson.edu>
+Signed-off-by: Martin Brandenburg <martin@omnibond.com>
+Fixes: 71680c18c8f2 ("orangefs: Cache getattr results.")
+Cc: stable@vger.kernel.org
+Cc: hubcap@omnibond.com
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/orangefs/namei.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/orangefs/namei.c
++++ b/fs/orangefs/namei.c
+@@ -314,6 +314,13 @@ static int orangefs_symlink(struct inode
+ ret = PTR_ERR(inode);
+ goto out;
+ }
++ /*
++ * This is necessary because orangefs_inode_getattr will not
++ * re-read symlink size as it is impossible for it to change.
++ * Invalidating the cache does not help. orangefs_new_inode
++ * does not set the correct size (it does not know symname).
++ */
++ inode->i_size = strlen(symname);
+
+ gossip_debug(GOSSIP_NAME_DEBUG,
+ "Assigned symlink inode new number of %pU\n",
libata-drop-sandisk-sd7ub3q-g1001-nolpm-quirk.patch
w1-mxc_w1-enable-clock-before-calling-clk_get_rate-on-it.patch
x86-intel_rdt-enable-cmt-and-mbm-on-new-skylake-stepping.patch
+iwlwifi-fw-harden-page-loading-code.patch
+orangefs-set-i_size-on-new-symlink.patch
+orangefs-report-attributes_mask-and-attributes-for-statx.patch
+hid-intel_ish-hid-ipc-register-more-pm-callbacks-to-support-hibernation.patch
+hid-wacom-correct-logical-maximum-y-for-2nd-gen-intuos-pro-large.patch
+vhost-fix-info-leak-due-to-uninitialized-memory.patch
+fs-binfmt_misc.c-do-not-allow-offset-overflow.patch
+mm-page_alloc-do-not-break-__gfp_thisnode-by-zonelist-reset.patch
--- /dev/null
+From 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Sat, 12 May 2018 00:33:10 +0300
+Subject: vhost: fix info leak due to uninitialized memory
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad upstream.
+
+struct vhost_msg within struct vhost_msg_node is copied to userspace.
+Unfortunately it turns out on 64 bit systems vhost_msg has padding after
+type which gcc doesn't initialize, leaking 4 uninitialized bytes to
+userspace.
+
+This padding also unfortunately means 32 bit users of this interface are
+broken on a 64 bit kernel which will need to be fixed separately.
+
+Fixes: CVE-2018-1118
+Cc: stable@vger.kernel.org
+Reported-by: Kevin Easton <kevin@guarana.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2382,6 +2382,9 @@ struct vhost_msg_node *vhost_new_msg(str
+ struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL);
+ if (!node)
+ return NULL;
++
++ /* Make sure all padding within the structure is initialized. */
++ memset(&node->msg, 0, sizeof node->msg);
+ node->vq = vq;
+ node->msg.type = type;
+ return node;
projects / thirdparty / kernel / stable-queue.git / commitdiff
